The Web Services Security default
policy sets are based
on the WS-Security 1.0 and Web Services Addressing (WS-Addressing)
specifications. The Web Services Security default policy sets include
the WSSecurity default policy set, the Lightweight Third-Party Authentication
(LTPA) WSSecurity policy set, the Username WSSecurity policy set,
and the Kerberos V5 HTTPS default policy set. These default policy
sets are used to build secure web services.
The Web Services Security
default policy sets use the WS-Security
1.0 specification enhancements to SOAP messaging to provide quality
of protection through message integrity, message confidentiality,
and single message authentication. Providing quality of protection
means to prevent the following potential threats to SOAP messages:
- The message being modified or read by antagonists.
- An
antagonist sending messages to a service that are formed correctly,
but lack the appropriate security claims to be processed.
The
WS-Addressing specification defines XML 1.0 and XML Namespaces
elements to identify web services endpoints and to secure end-to-end
endpoint identification in messages.
You can use the WSSecurity
default policy set, the LTPA WSSecurity
policy set, the Username WSSecurity policy set, or the Kerberos V5
HTTPS default policy set as provided with the application server.
To customize the other Web Services Security policy sets, you must
first copy the policy set, and then configure custom policy settings
and bindings to meet your needs.
Features and details of the
default Web Services Security policy
sets are as follows:
- Kerberos V5 HTTPS default
- This policy set provides message authentication with a Kerberos
Version 5 token. Message integrity and confidentiality are provided
by Secure Sockets Layer (SSL) transport security. This policy set
follows the OASIS Kerberos Token Profile V1.1 and WS-Security specifications.
When
you use this policy set, configure the basic authentication data and
custom properties such as the com.ibm.wsspi.wssecurity.krbtoken.targetServiceName
and com.ibm.wsspi.wssecurity.krbtoken.targetServiceHost custom properties
in the client bindings. For more information, see the Authentication
generator or consumer token settings and Protection token settings
(generator or consumer) topics.
- LTPA WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key
cryptography) to sign the body, time stamp, and WS-Addressing headers
using WS-Security specifications.
- Message confidentiality through encryption (using RSA public-key
cryptography) to encrypt the body, signature and signature elements
using WS-Security specifications.
- A Lightweight Third Party Authentication (LTPA) token included
in the request message to authenticate the client to the service.
- Username SecureConversation
- This policy set provides:
- Message integrity through digital signature that includes signing
the body, time stamp, and WS-Addressing headers using WS-SecureConversation
and WS-Security specifications
- Message confidentiality through encryption that includes encrypting
the body, signature and signature confirmation elements, using WS-SecureConversation
and WS-Security specifications
- A username token included in the request message to authenticate
the client to the service. The username token is encrypted in the
request
- Username WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key
cryptography) to sign the body, time stamp, and WS-Addressing headers
using WS-Security specifications.
- Message confidentiality through encryption (using RSA public-key
cryptography) to encrypt the body, signature and signature elements
using WS-Security specifications.
- A username token included in the request message to authenticate
the client to the service. The username token is encrypted in the
request.
- WSSecurity default
- This policy set provides:
- Message integrity through digital signature (using RSA public-key
cryptography) to sign the body, time stamp, and WS-Addressing headers
using WS-Security specifications.
- Message confidentiality through encryption (using RSA public-key
cryptography) to encrypt the body, signature and signature elements
using WS-Security specifications.